Risk managers confront myriad cyber challenges

In addition to the National Institute of Standards and Technology's proposed voluntary cyber security framework, other cyber-related issues expected to absorb risk managers this year include insider threats and use of the cloud.

Insider threats. This can include disgruntled, negligent or poorly trained employees and others, such as vendors, who are inside the company's firewall. The root causes of cyber breaches frequently turn out to be “not some super technology, but an insider,” said Alan E. Brill, senior managing director of secure information services at New York-based Kroll Associates Inc. It is aggravated as well by the “bring-your-own device” trend of workers using their own devices, particularly if they are unencrypted, experts say.

The cloud. The use of clouds is going to “really take off” in 2014, and ensuring effective control of corporate data within a cloud environment will be critical, said Oliver Brew, New York-based vice president of technology and privacy for Liberty International Underwriters, part of Liberty Mutual Holding Co. Inc.

Personally identifiable information. While this is not a new issue, theft of personal data “continues to be a very lucrative crime” for cyber thieves. Some of the new technologies that are emerging, including the increased use of mobile payments, are going to make it a bigger risk, said Michael Born, Kansas City, Mo.-based vice president and account executive, global technology and privacy practice, with Lockton Cos. L.L.C.

Big data. Related to the personally identifiable information issue, big data refers to how consumers are conducting more of their lives online. Criminals are able to “hack into a system and suck out data,” mining it for information, said Michael Bruemmer, Austin, Texas-based vice president of Experian Data Breach Resolution, a unit of Experian Information Solutions Inc.

The “Internet of things.” This refers to technology's ability to operate devices, which can be as innocuous as remotely turning on the heat in your home. But it also can be used for far more nefarious purposes, such as controlling a company's fleet of cars or gaining access to confidential medical information, Mr. Born said.

Nation-state and “hacktivism” breaches. While the former are criminally motivated, and the latter — motivated by political activists — are not, there is the potential for both types of breaches to increase, creating disruption via malware or hacking schemes, said Tim Francis, Hartford, Conn.-based enterprise cyber lead for Travelers Cos. Inc.

Regulatory environment. International regulations, including those in the European Union, will put added pressure on companies globally to look closely at their cyber defenses, said Tom Srail, Cleveland-based senior vice president of FINEX North America at Willis North America Inc.